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DETAILED ACTION 

Response to Arguments 

1 . Applicant's arguments filed 12/18/2008 have been fully considered. 

2. In light of their claim amendments, Applicant arguments regarding the previous 
rejections made under 35 USC 101 are persuasive and thus said rejection has been 
withdrawn. 

3. Applicant continues by arguing the rejections made under 35 USC 102 in view of 
Khanolkar. The Examiner agrees that Khanolkar does not teach Applicant's claim 
language as amended, and thus said rejections have been withdrawn. However, after 
further consideration, a new grounds of rejection has been made under 35 USC 103; 
said grounds is discussed further below. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1 , 1 0 - 1 3, 1 4, 23 - 26, 27, 36-39, 82, 91 -94 and 1 09 - 1 28 are rejected 
under 35 U.S.C. 103(a) as being unpatentable over Khanolkar (US 7,127,743 B1) in 
view of Wiley (US 7,017,185 B1). 

6. Regarding claims 1 , Khanolkar shows in a computer system comprising a 
plurality of nodes interconnected for communication via a network, a method including 
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acts of capturing in a data structure a notification provided by a node on the network, 
the notification having a characteristic and comprising at least a portion of a 
transmission by the node, the transmission describing a network event (Khanolkar, col. 
2 lines 10-67, col. 3 lines 57 - 65 and col. 4 lines 15-30) 

identifying a data element within the notification (Khanolkar, col. 6 lines 2 - 8, col. 
7 lines 1- 3) 

wherein the data element identifies a notification type for the notification, an 
originating IP address for the notification and/or a destination IP address for the 
notification (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 11 - 55) and 

wherein the characteristic comprises an IP address of the node and/or a time 
period during which the notification occurred (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 
11 -55). 

Khanolkar does not explicitly show all of where the data structure is a first data 
structure of a plurality of data structures, the first data structure being selected among 
the plurality of data structures to store the notification based at least in part on the 
characteristic; 

updating an index, based on the data element, with an indication of a location 
within the first data structure where the data element is recorded. 

Wiley shows where the data structure is a first data structure of a plurality of data 
structures (Wiley, col. 4 lines 40 - 65), the first data structure being selected among the 
plurality of data structures to store the notification based at least in part on the 
characteristic (Wiley, col. 6 lines 11 - 35, col. 7 lines 1-51); 
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updating an index, based on the data element, with an indication of a location 
within the first data structure where the data element is recorded (Wiley, col. 5 lines 25 
-67, col. 7 lines 1-51). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the disclosure of Khanolkar with that of Wiley in order to provide 
faster access to stored data (Wiley, col. 2 lines 17 - 28). 
7. Regarding claim 14, Khanolkar in view of Wiley further show at least one 
computer-readable medium encoded with instructions which, when executed by a 
computer, perform a method in a computer system comprising a plurality of nodes 
interconnected for communication via a network, a method including acts of: 

(A) capturing, in a first data structure of a plurality of data structures (Wiley, col. 4 
lines 40 - 65), a notification provided by a node on the network, the notification having a 
characteristic and comprising at least a portion of a transmission by the node, the 
transmission describing a network event (Khanolkar, col. 2 lines 10-67, col. 3 lines 

57 — 65, col. 4 lines 15 - 30), the first data structure being selected among the plurality 
of data structures to store the notification based at least in part on the characteristic 
(Wiley, col. 6 lines 11 -35, col. 7 lines 1-51); 

(B) identifying a data element within the notification (Khanolkar, col. 6 lines 2-8, 
col. 7 lines 1 - 3); 

(C) updating an index, based on the data element, with an indication of a location 
within the first data structure where the data element is recorded (Wiley, col. 5 lines 25 
-67, col. 7 lines 1 -51); 
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wherein the data element identifies a notification type for the notification, an 
originating IP address for the notification and/or a destination IP address for the 
notification (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 11 - 55) and 

wherein the characteristic comprises an IP address of the node and/or a time 
period during which the notification occurred (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 
11 -55). 

8. Regarding claim 27, Khanolkar in view of Wiley further show a system for 
monitoring activity occurring in a computer system comprising a plurality of nodes 
interconnected for communication via a network, the system comprising at least one 
processor programmed to implement: 

a capture controller, said capture controller capturing, in a first data structure of a 
plurality of data structures (Wiley, col. 4 lines 40 - 65), a notification provided by a node 
on the network, the notification having a characteristic and comprising at least a portion 
of a transmission by the node, the transmission describing a network event (Khanolkar, 
col. 2 lines 10-67, col. 3 lines 57 — 65, col. 4 lines 15 - 30), the first data structure 
being selected among the plurality of data structures to store the notification based at 
least in part on the characteristic (Wiley, col. 6 lines 11 - 35, col. 7 lines 1 - 51 ); 

an identification controller, said identification controller identifying a data element 
within the notification (Khanolkar, col. 6 lines 2-8, col. 7 lines 1 - 3); 

an update controller, said update controller updating an index, based on the data 
element, with an indication of a location within the first data structure where the data 
element is recorded (Wiley, col. 5 lines 25 - 67, col. 7 lines 1 - 51 ); 
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wherein the data element identifies a notification type for the notification, an 
originating IP address for the notification and/or a destination IP address for the 
notification (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 11 - 55) and 

wherein the characteristic comprises an IP address of the node and/or a time 
period during which the notification occurred (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 
11 -55). 

9. Regarding claim 82, Khanolkar in view of Wiley further show a system for 
monitoring activity occurring in a computer system comprising a plurality of nodes 
interconnected for communication via a network, the system comprising at least one 
processor programmed to implement: 

means for capturing, in a first data structure of a plurality of data structures 
(Wiley, col. 4 lines 40 - 65), a notification provided by a node on the network, the 
notification having a characteristic and comprising at least a portion of a transmission by 
the node, the transmission describing a network event (Khanolkar, col. 2 lines 10-67, 
col. 3 lines 57 — 65, col. 4 lines 15 - 30), the first data structure being selected among 
the plurality of data structures to store the notification based at least in part on the 
characteristic (Wiley, col. 6 lines 11 - 35, col. 7 lines 1 - 51); 

means for identifying a data element within the notification (Khanolkar, col. 6 
lines 2-8, col. 7 lines 1 - 3); 

means for updating an index, based on the data element, with an indication of a 
location within the first data structure where the data element is recorded (Wiley, col. 5 
lines 25 - 67, col. 7 lines 1 - 51 ); 
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wherein the data element identifies a notification type for the notification, an 
originating IP address for the notification and/or a destination IP address for the 
notification (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 11 - 55) and 

wherein the characteristic comprises an IP address of the node and/or a time 
period during which the notification occurred (Khanolkar, col. 6 lines 1 - 24, col. 4 lines 
11 -55). 

1 0. Regarding claims 1 0, 23, 36 and 91 , Khanolkar in view of Wiley further show 
wherein the transmission comprises at least one of a SYSLOG message, an SNMP 
message, a NetFlow message and a TCP packet (Khanolkar, col. 2 line 40 and col. 5 
lines 10-50). 

1 1 . Regarding claims 1 1 , 24, 37 and 92, Khanolkar in view of Wiley further show 
accessing the index to determine, based on the indication, the location of the data 
element within the first data structure, and accessing the data element at the location 
(Wiley, col. 4 lines 31 - 67, col. 7 lines 1 - 51). 

12. Regarding claims 1 2, 25, 38 and 93, Khanolkar in view of Wiley further show 
creating a summery based at least in part on a presence of the data element within the 
notification (Wiley, col. 4 lines 31 - 67, col. 7 lines 1 - 51). 

1 3. Regarding claims 1 3, 26, 39 and 94, Khanolkar in view of Wiley further show an 
act comprising accessing the summary to determine the presence of the data element 
within the first data structure (Wiley, col. 4 lines 31 - 67, col. 7 lines 1 - 51). 
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14. Regarding claims 1 09, 114, 119 and 1 24, Khanolkar in view of Wiley further 
show wherein the data element identifies a notification type for the notification 
(Khanolkar, col.6 lines 59 - 65, col. 7 lines 23 - 59). 

1 5. Regarding claims 1 1 0, 1 1 5, 1 20 and 1 25, Khanolkar in view of Wiley further 
show wherein the data element identifies a originating IP address for the notification 
(Khanolkar, col. 6 lines 3-14 and Wiley col. 4 lines 4-8, col. 4 lines 51 -57). 

16. Regarding claims 111, 116, 121 and 126, Khanolkar in view of Wiley further 
show wherein the data element identifies a destination IP address for the notification 
(Wiley col. 4 lines 4-8, col. 4 lines 51 -57). 

1 7. Regarding claims 1 1 2, 1 1 7, 1 22 and 1 27, Khanolkar in view of Wiley further 
show wherein the characteristic comprises an IP address of the node (Khanolkar, col. 6 
lines 3- 14 and Wiley col. 4 lines 4-8, col. 4 lines 51 -57). 

18. Regarding claims 1 1 3, 1 1 8, 1 23 and 1 28, Khanolkar in view of Wiley further 
show wherein the characteristic comprises a time period during which the notification 
occurred (Khanolkar, col. 6 lines 3 - 14). 

19. Claims 2, 3, 15, 16, 28, 29, 83, and 84 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Khanolkar in view of Wiley as applied to claims 1 , 14, 27 and 
82 above, further in view of Martenson (US 6,219,708 B1). 

20. Regarding claims 2, 1 5, 28 and 83, Khanolkar in view of Wiley show claims 1,14, 
27 and 82. 

Khanolkar in view of Wiley do not explicitly show storing the first data structure in 
a non-volatile storage. 
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Martenson shows storing the data structure in a non-volatile storage (col. 6 lines 
43-55). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the disclosure of in view of Wiley with that of Martenson in order to 
ensure that the data formulated, filtered and processed by the method of Khanolkar is 
archived for future use on a common and well-understood storage mechanism. 

21 . Regarding claims 3, 16, 29 and 84, Khanolkar in view of Wiley and Martenson 
further show storing the first data structure in a file system in the non-volatile storage 
(Martenson, col. 6 lines 43 - 55). 

22. Claims 4, 17, 30 and 85 rejected under 35 U.S.C. 103(a) as being unpatentable 
over Khanolkar in view of Wiley and Martenson and as applied to claims 3, 1 6, 29 and 
84 above, and further in view of Richard et al. (US 2005/0015461 A1), hereafter 
Richard. 

Khanolkar in view of Wiley and Martenson show claims 3, 16, 29 and 84. 

Khanolkar in view of Wiley Martenson do not explicitly show the file system is a 
hierarchical file system. 

Richard shows where the file system is a hierarchical file system ([1 11]). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the disclosure of Khanolkar in view of Wiley and Martenson with that 
of Richard in order to utilize a common type of file system (Richard, [1 1 1 ]). 
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23. Claims 7, 20, 33 and 88 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Khanolkar in view of Wiley, further in view of Microsoft Computer 
Dictionary, 5 th Edition. 

24. Regarding claims 7, 20, 33 and 88, Khanolkar in view of Wiley show claims 1,14, 
27 and 82. 

Khanolkar in view of Wiley do not explicitly show where the data structure is a 

file. 

Microsoft Computer Dictionary shows files (pgs. 2 - 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the disclosure of Khanolkar in view of Wiley with that of Microsoft 
Computer Dictionary in order to utilize common ideas in computing environments. 

25. Claims 8, 9, 21 , 22, 34, 35, 89 and 90 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Khanolkar in view of Wiley and Martenson as applied to claims 
2, 15, 28 and 83 above further in view of Microsoft Computer Dictionary, 5 th Edition. 

26. Regarding claims 8, 21 , 34 and 89, Khanolkar in view of Wiley and Martenson 
show claims 2, 15, 28 and 83. 

Khanolkar in view of Wiley and Martenson do not explicitly show an act of 
compressing the data structure. 

Microsoft Computer Dictionary shows compression of files, such as data 
structures (pgs. 2-3 and 4 -5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the disclosure of Khanolkar in view of Wiley and Martenson with that 
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of Microsoft Computer Dictionary in order to utilize common ideas in computing 
environments, as well as to optimize the storage size of the data structure. 

Khanolkar in view of Wiley, Martenson and Microsoft Computer Dictionary thus 
show claims 8, 21 , 34 and 89. 

27. Regarding claims 9, 22, 35 and 90, Khanolkar in view of Wiley, Martenson and 
Microsoft Computer Dictionary further show act of creating a digital signature for the 
data structure (Microsoft Computer Dictionary, pgs. 2-3 and 6). 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to John M. Macllwinen whose telephone number is (571 ) 

272- 9686. The examiner can normally be reached on M-F 7:30AM - 5:00PM EST; off 
alternate Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Andrew Caldwell can be reached on (571) 272-3868. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Andrew Caldwell/ 

Supervisory Patent Examiner, Art 

Unit 2442 

John Macllwinen 
(571)213-6095 
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